If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

[Video] Metasploit Vs. Adobe PDFs

Brief Overview
This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (one relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).

The attacker emails these documents to the target (however they have to compress & encrypt the documents).

What do I need?
* Metasploit – (Can be found on BackTrack 4-R2). Download here
* SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
* A PDF document (Either create your own or can be found by using an internet search engine). * The target will need a vulnerable version of Adobe Reader (v9.3 for example). Download here

Method
* Start network services and obtain an IP address
* Run metasploit and search for PDF exploits
* Configure exploit and create a vulnerablefile
* Compress and encrypt PDF
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over
* Locate a "legit" PDF documentand bind with exploit
* Compress and encrypt PDF document
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over ...again

Walk-through
The attacker approaches this attack similar to a previous method, however instead of producing a collection of different files, which are not going to be used, they choose to use a program which is very commonly installed (also not updated often too!), Adobe Reader.

To start things going, the attacker starts their network connection and runs metasploit. When metasploit is ready, they search it's database for known exploits for PDFs files. "windows/fileformat/adobe_libtiff" has the latest Disclosure Date (2010-02-16) to today's date (2011-03-22). After choosing it and looking at the exploit in more detail, the attacker notes the vulnerable version of Adobe Reader (versions 8.0 - 8.2, 9.0 - 9.3) which the target HAS to have for this exploit to work.

The attacker then proceeds to enter all the necessary information for the exploit to function, then creates the exploit when it is ready.

Like before, the attacker chooses to socially engineer the target by sending them an email, however this time around wants they to attach the file instead of linking to it.
The attacker enters a brief description of what the PDF is meant to contain. However, when the attacker tries to see the PDF the SMTP disallows the PDF attachment. The attacker compresses and encrypts the PDF which will prevent detection (The attacker alters the original message to include the password).

The attacker can sit back and relax until the target opens the PDF document... which the target does =). However! When the target opens the PDF document, the reader "crashes" before they could read the document. So they email back saying they are unable to read it. The attacker then replies with the "correct" PDF...

Again, the attacker then proceds to enter all the necessary information for the exploit to function, creates the new document and delivers it using the same method as before. Just like before, there is nothing left for the attacker to do except to wait for the target to open the document...

After the target has refreshed their inbox, they notice they have got the "correct" PDF. Upon opening the file, a "Save as" window pops up (1), and of course they wish to save the PDF or just want to read the document so they just click next... After reading the message (2), they click on "open". After doing those steps the target is able to read the document...

...meanwhile the exploit has worked and the attacker has another meterpreter shell on the targets machine.

(1) This is really a meterpreter agent, NOT the PDF file which it says it was. It has cloned the filename from the PDF the attacker used(2) The message is what the attacker left